When to Use AlwaysON

Use AlwaysON when you need to provide seamless VPN connectivity based on user location and have to prevent network access by a user who is not connected to a VPN.

The following scenarios illustrate the use of AlwaysON.

An employee starts the laptop outside the enterprise network and needs assistance to establish VPN connectivity.Solution: When the laptop is started outside the enterprise network, AlwaysON seamlessly establishes a tunnel and provides VPN connectivity.

An employee using VPN connectivity moves into the enterprise network. The employee is switched to enterprise network but remains connected to the VPN tunnel, which is not a desirable state.Solution: When the employee moves into the enterprise network, AlwaysOn tears down the VPN tunnel and seamlessly switches the employee to the enterprise network.

An employee moves outside the enterprise network and closes the laptop (not shut down). The employee needs assistance to establish VPN connectivity upon resuming work on the laptop.Solution: When the employee moves outside the enterprise network, AlwaysON seamlessly establishes a tunnel and provides VPN connectivity.

An enterprise wants to regulate the network access provided to its users when they are not connected to a VPN tunnel.Solution: Depending on the configuration, AlwaysON restricts access, allowing users to access only the gateway network.

Understanding the AlwaysON Framework

AlwaysON automatically connects a user to a VPN tunnel that the client has previously established. The first time the user needs a VPN tunnel, the user must connect to the Citrix Gateway URL and establish the tunnel. After the AlwaysON configuration is downloaded to the client, this configuration drives subsequent establishment of the tunnel.

The Citrix Gateway client executable is always running on the client machine. When the user logs on or the network changes, the Citrix Gateway client determines whether or not the user laptop is on the enterprise network. Depending upon the location and the configuration, the Citrix Gateway client either establishes a tunnel or tears down an existing tunnel.

Tunnel establishment is initiated only after the user logs on to the computer. The Citrix Gateway client uses the configured authentication mechanism and tries to establish a tunnel. If the authentication methods do not involve a user prompt, the tunnel is established seamlessly.

Automatic Reestablishment of a Tunnel

Automatic reestablishment of a tunnel is triggered in the following situations:

VPN tunnel is torn down by Citrix Gateway

The Citrix Gateway client is aborted

Note

In End-Point Analysis failure or some other failures, the Citrix Gateway client does not reattempt tunnel establishment, but does display an error message. If there is an authentication failure, the Citrix Gateway client prompts user for credentials.

Username + AD password: If the Windows username and password are used for authentication, the Citrix Gateway client seamlessly establishes the tunnel by using these credentials.

User certificate: If user certificate is used for authentication and there is only one certificate on the machine, the Citrix Gateway client seamlessly establishes the tunnel by using this certificate. If multiple client certificates are installed, the tunnel is established after the user has selected the preferred certificate. The Citrix Gateway client uses this preference for subsequently established tunnels.

User certificate and Username + AD Password: This authentication method is the combination of previously described authentication methods.

Note

All other authentication mechanisms are supported but the tunnel establishment is not seamless for any other authentication methods. User intervention is required for all other authentication methods.

Configuration Requirements for AlwaysON

Enterprise administrator must enforce the following for the managed devices:

User must not be able to end the process/service for specific configuration

User must not be able to uninstall the package for speciﬁc conﬁguration

User must not be able to change speciﬁc registry entries

Note

The feature might not work as expected if the user has administration privileges, as in the case of non-managed devices.

Considerations While Enabling the AlwaysON feature

Review the following section before enabling the AlwaysON feature.

Primary Network Access: When the tunnel is established, the traffic to the enterprise network is decided based on split-tunnel configuration. Additional configurations are not provided to override this behavior.

Proxy settings of client machine: Proxy settings of the client machine are ignored for connecting to the gateway server.

Note

The Citrix ADC appliance’s proxy configuration is not ignored. Only the proxy settings of the client machine are ignored. Users who have a proxy configured on their systems are notified that the VPN plug-in has ignored their proxy settings.

When the configuration value is set to “Deny”, the following changes apply:

Client UI - The logoff and Exit options from the plug-in context menu and plug-in UI are disabled. Users are not allowed to change the Gateway URL.

Browser logon - Browser logon to a different gateway is not allowed. Client controls are disabled.

Configuring AlwaysON

To configure AlwaysON, create an AlwaysOn profile on the Citrix Gateway appliance and apply the profile.

On the Global Settings page, click the Change Global Settings link, and then select the Client Experience tab.

From the AlwaysON Profile Name drop down menu, select the newly created profile, and click OK.

Note

Similar configuration can be done in Session profile to apply the policies at a group level, server lever, or a user level.

Behavior summary of different configurations for admin users and non-admin users

The table below summarizes the behavior for different configurations. It also details the possibility of certain user actions, which can affect AlwaysON functionality.

networkAccessONVPNFailure

Client control

Non-admin user

Admin user

fullaccess

Allow

The tunnel gets established automatically. The user can log off and stay off the network. The user can also point to another Citrix Gateway.

The tunnel gets established automatically. The user can log off and stay off the enterprise network. The user can also point to another Citrix Gateway.

fullaccess

Deny

The tunnel gets establish automatically. The user cannot log off or point to another Citrix Gateway.

The tunnel gets established automatically. The user can uninstall Citrix Gateway Client or move to another Citrix Gateway.

onlyToGateway

Allow

The tunnel gets established automatically. The user can log off (no network access). The user can also point to another Citrix Gateway, in which case, the access is given only to the newly pointed Citrix Gateway.

The tunnel gets established automatically. The user can uninstall Citrix Gateway Client or move to another Citrix Gateway.

onlyToGateway

Deny

The tunnel gets establish automatically. The user cannot log off or point to another Citrix Gateway.

The tunnel gets established automatically. The user can uninstall Citrix Gateway Client or move to another Citrix Gateway.

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

THIS SERVICE MAY CONTAIN TRANSLATIONS POWERED BY GOOGLE. GOOGLE DISCLAIMS ALL WARRANTIES RELATED TO THE TRANSLATIONS, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF ACCURACY, RELIABILITY, AND ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

THIS SERVICE MAY CONTAIN TRANSLATIONS POWERED BY GOOGLE. GOOGLE DISCLAIMS ALL WARRANTIES RELATED TO THE TRANSLATIONS, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF ACCURACY, RELIABILITY, AND ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

THIS SERVICE MAY CONTAIN TRANSLATIONS POWERED BY GOOGLE. GOOGLE DISCLAIMS ALL WARRANTIES RELATED TO THE TRANSLATIONS, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF ACCURACY, RELIABILITY, AND ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

THIS SERVICE MAY CONTAIN TRANSLATIONS POWERED BY GOOGLE. GOOGLE DISCLAIMS ALL WARRANTIES RELATED TO THE TRANSLATIONS, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF ACCURACY, RELIABILITY, AND ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

THIS SERVICE MAY CONTAIN TRANSLATIONS POWERED BY GOOGLE. GOOGLE DISCLAIMS ALL WARRANTIES RELATED TO THE TRANSLATIONS, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF ACCURACY, RELIABILITY, AND ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.